It has been discovered that TYPO3 Core is vulnerable to
+ Cross-Site Scripting and Remote Code Execution.

+

TYPO3 bundles flash files for video and audio playback. Old
+ versions of FlowPlayer and flashmedia are susceptible to
+ Cross-Site Scripting. No authentication is required to exploit
+ this vulnerability.

+

The file upload component and the File Abstraction Layer are
+ failing to check for denied file extensions, which allows
+ authenticated editors (even with limited permissions) to
+ upload php files with arbitrary code, which can then be
+ executed in web server's context.